Malware Activity

HardBit 2.0 Ransomware Urges Victims for Cyber Insurance Policy Details Prior to Establishing Ransom Amount

Researchers have observed samples of "HardBit 2.0" circulating throughout 2023 thus far and noted an interesting tactic identified in the latest campaign. HardBit, first discovered in October 2022, introduced version 2.0 in November 2022 and focuses on exfiltrating sensitive data upon gaining initial access to victims' networks and encrypting all data. The ransomware attempts to evade analysis by gathering data about the victim machine through web-enterprise management and Windows Management Instrumentation (WMI) functions. It then performs various techniques to lower the machine's security, such as deleting the Volume Shadow Copy Service (VSS) and the Windows backup utility, editing the boot configuration, disabling Windows Defender Antivirus features, and terminating services. Data is then encrypted and the ransom note is dropped. At this time, the operators behind the ransomware have not created a leak site to publish the stolen data and double extortion does not appear to be in their playbook. In the dropped ransom note, HardBit urges victims to contact them through the Tox instant messaging platform or by email within forty-eight (48) hours of discovery. The threat actors also explain that they seek to negotiate with victims to reach a settlement rather than specifying a bitcoin amount within the ransom note. Victims with cyber insurance policies are urged to privately share their policy details during the negotiations in order to ensure HardBit's demands fall within their policies. The ransomware operators voice this tactic as benefiting both HardBit and the victim as opposed to the "poor multimillionaire insurers." If the ransom is not paid, HardBit often threatens additional attacks against the organization. CTIX recommends that victims of HardBit 2.0 engage an incident response firm to facilitate remediation and investigation of the incident. Indicators of compromise (IOCs) can be viewed in the report linked below.


Threat Actor Activity

Earth Yako Actors Target Japanese Education Sector

Threat actors from the Earth Yako APT group have been conducting a year-long targeting campaign against Japanese think tanks, researchers, and academic institutions. Earth Yako is a lesser-known threat group that has made a significant impact during this operation, showing their motivation lies with cyberespionage against their victims. The operation, dubbed Operation RestyLink/Enelink, began in January 2022 and has continuously targeted entities throughout the education sector with a variety of malicious tools and software. The standard point-of-entry for Operation RestyLink is spearphishing, attempting to persuade the user to download an embedded attachment which would eventually lead to the background download of one (1) or more malicious programs such as "MirrorKey" (DLL Loader), "TransBox" (Trojan), "PlugBox" (Trojan), "Dulload" (Generic), "PULink" (Dropper), and "ShellBox" (Stager). Incidents analyzed in this campaign include a Japanese academic center becoming compromised in March 2022 where MirrorKey and TransBox malware payloads were deployed. Months later in June, Earth Yako actors compromised researchers at another Japanese academic center and utilized MirrorKey and PlugBox payloads to further infect the compromised asset(s). Several additional incidents have occurred throughout this campaign, oftentimes for espionage purposes. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.


Vulnerabilities

Fortinet Patches Two Critical Vulnerabilities that Allow Attackers to Perform Arbitrary Code or Command Execution

Fortinet has patched two (2) critical vulnerabilities affecting two (2) of their network cybersecurity solutions. The first flaw, tracked as CVE-2022-39952, was given a 9.8/10 CVSS score and is an external control of file name or path vulnerability impacting the FortiNAC product, a network access control solution allowing Fortinet customers to manage network access to prevent threats. If exploited, an unauthenticated attacker could perform arbitrary write operations on a vulnerable system, allowing them to make configuration changes as well as move laterally across the network. The second flaw, tracked as CVE-2021-42756, was given a CVSS score of 9.3/10 and stems from multiple stack-based buffer overflow vulnerabilities impacting the FortiWeb product. FortiWeb is Fortinet's web application firewall (WAF) solution, which helps customers protect their internet-facing applications and APIs from web-based attacks like cross-site scripting (XSS), SQL injection, and distributed denial of service (DDoS) attacks. Threat actors could exploit this flaw by sending maliciously crafted HTTP requests, leading to arbitrary code execution. Fortinet has not provided manual mitigation techniques, and CTIX analysts recommend all network administrators responsible for vulnerable Fortinet solutions to patch their products immediately.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.